Bug 1487878 - Ovirt-imageIO missing firewalld rule
Summary: Ovirt-imageIO missing firewalld rule
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-node
Classification: oVirt
Component: General
Version: 4.1
Hardware: All
OS: Linux
unspecified
medium vote
Target Milestone: ovirt-4.1.7
: 4.1
Assignee: Yuval Turgeman
QA Contact: dguo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-02 23:17 UTC by Bradley
Modified: 2017-11-13 12:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-13 12:24:49 UTC
oVirt Team: Integration
rule-engine: ovirt-4.1+
dguo: testing_ack+


Attachments (Terms of Use)

Description Bradley 2017-09-02 23:17:23 UTC
Description of problem: Ovirt-imageIO-daemon is missing 54322 open port rule. This causes a failure when trying to upload images. 


Version-Release number of selected component (if applicable): Ovirt-Node-ng-4.1.5


How reproducible: Fresh install of Ovirt Node NG


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Edit VDSM XML in /usr/lib/firewalld/services/vdsm.xml to open the imageIO daemon. Workaround is to run "firewall-cmd --zone=public --permanent --add-port=54322/tcp; firewall-cmd --reload" on each node in production.

Comment 1 Dan Kenigsberg 2017-09-03 19:39:03 UTC
Actually, https://github.com/firewalld/firewalld/blob/master/config/services/ovirt-imageio.xml should provide this port independently.

This should be already available in CentOS-7.4's firewalld. With which one have you been testing?

Comment 2 Ryan Barry 2017-09-03 19:47:46 UTC
The question is whether this is in the node preset, and whether we have a 7.4 node yet. I'm on PTO and can't check until Tuesday. Yuval, can you look at this?

Comment 3 Bradley 2017-09-03 20:07:23 UTC
Node is running 7.3.1611 from the Node-NG 4.1.5 image that was published.

Comment 4 dguo 2017-10-17 02:50:03 UTC
Checked on rhvh-4.1-0.20171012.0+1

Test versions:
[root@dhcp-8-109 ~]# imgbase w
You are on rhvh-4.1-0.20171012.0+1

Test steps:
1. Fresh install rhvh

2. Check ovirt-imageio XML under firewalld
[root@dhcp-8-109 ~]# cat /usr/lib/firewalld/services/ovirt-imageio.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>oVirt Image I/O</short>
  <description>oVirt Image I/O simplifies the workflow of introducing new oVirt images into the oVirt environment.</description>
  <port protocol="tcp" port="54322"/>
</service>

3. After registering to engine, check 54322 port is open 
[root@dhcp-8-109 ~]# iptables -L -x -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:54321
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:54322
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:111
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:111
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:161
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9090
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:16514
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 2223
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5900:6923
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 49152:49216
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:6081
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match ! --physdev-is-bridged reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:6081

4. Upload image to the storage domain, upload can be successfully

Thus, this bug can be verified on rhvh-4.1-0.20171012.0


Note You need to log in before you can comment on or make changes to this bug.